Related Commands

interface port-channel

To access or create a port-channel interface, use the interface port-channel command.

interface port-channel channel-group

Syntax Description

channel-group

Port-channel group number; valid values are from 1 to 64.

Defaults

This command has no default settings.

Command Modes

Global configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You do not have to create a port-channel interface before assigning a physical interface to a channel group. A port-channel interface is created automatically when the channel group gets its first physical interface, if it is not already created.

You can also create the port channels by entering the interface port-channel command. This will create a Layer 3 port channel. To change the Layer 3 port channel into a Layer 2 port channel, use the switchport command before you assign the physical interfaces to the channel group. A port channel cannot be changed from Layer 3 to Layer 2 or vice versa when it contains member ports.

Only one port channel in a channel group is allowed.

Caution The Layer 3 port-channel interface is the routed interface. Do not enable Layer 3 addresses on the physical Fast Ethernet interfaces.

If you want to use CDP, you must configure it only on the physical Fast Ethernet interface and not on the port-channel interface.

Examples

This example creates a port-channel interface with a channel-group number of 64:

Related Commands

interface range

To run a command on multiple ports at the same time, use the interface range command.

interface range {vlanvlan_id - vlan_id} {port-range | macroname}

Syntax Description

vlanvlan_id - vlan_id

Specifies a VLAN range; valid values are from 1 to 4094.

port-range

Port range; for a list of valid values for port-range, see the "Usage Guidelines" section.

macroname

Specifies the name of a macro.

Defaults

This command has no default settings.

Command Modes

Global configuration

Interface configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(12c)EW

Support for extended VLAN addresses added.

Usage Guidelines

You can use the interface range command on the existing VLAN SVIs only. To display the VLAN SVIs, enter the show running config command. The VLANs that are not displayed cannot be used in the interface range command.

The values that are entered with the interface range command are applied to all the existing VLAN SVIs.

All configuration changes that are made to a port range are saved to NVRAM, but the port ranges that are created with the interface range command do not get saved to NVRAM.

You can enter the port range in two ways:

•Specifying up to five port ranges

•Specifying a previously defined macro

You can either specify the ports or the name of a port-range macro. A port range must consist of the same port type, and the ports within a range cannot span the modules.

You can define up to five port ranges on a single command; separate each range with a comma.

When you define a range, you must enter a space between the first port and the hyphen (-):

interface range gigabitethernet 5/1 -20, gigabitethernet4/5 -20.

Use these formats when entering the port-range:

•interface-type {mod}/{first-port} - {last-port}

•interface-type {mod}/{first-port} - {last-port}

Valid values for interface-type are as follows:

•FastEthernet

•GigabitEthernet

•Vlanvlan_id

You cannot specify both a macro and an interface range in the same command. After creating a macro, you can enter additional ranges. If you have already entered an interface range, the CLI does not allow you to enter a macro.

You can specify a single interface in the port-range value. This makes the command similar to the interfaceinterface-number command.

Examples

This example shows how to use the interface range command to interface to FE 5/18 - 20:

Related Commands

interface vlan

To create or access a Layer 3 switch virtual interface (SVI), use the interface vlan command. To delete an SVI, use the no form of this command.

interface vlan vlan_id

no interface vlan vlan_id

Syntax Description

vlan_id

Number of the VLAN; valid values are from 1 to 4094.

Defaults

Fast EtherChannel is not specified.

Command Modes

Global configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(12c)EW

Support for extended addressing was added.

Usage Guidelines

The SVIs are created the first time that you enter the interface vlan vlan_id command for a particular VLAN. The vlan_id value corresponds to the VLAN tag that is associated with the data frames on an ISL or 802.1Q-encapsulated trunk or the VLAN ID that is configured for an access port. A message is displayed whenever a VLAN interface is newly created, so you can check that you entered the correct VLAN number.

If you delete an SVI by entering the no interface vlan vlan_id command, the associated interface is forced into an administrative down state and marked as deleted. The deleted interface will no longer be visible in a show interface command.

You can reinstate a deleted SVI by entering the interface vlan vlan_id command for the deleted interface. The interface comes back up, but much of the previous configuration will be gone.

Examples

This example shows the output when you enter the interface vlan vlan_id command for a new VLANnumber:

Switch(config)# interface vlan 23

% Creating new VLAN interface.

Switch(config)#

ip arp inspection filter vlan

To permit ARPs from hosts that are configured for static IP when DAI is enabled and to define an ARP access list and apply it to a VLAN, use the ip arp inspection filter vlan command. To disable this application, use the no form of this command.

ip arp inspection filter arp-acl-name vlan vlan-range [static]

noip arp inspection filter arp-acl-name vlanvlan-range [static]

Syntax Description

arp-acl-name

Access control list name.

vlan-range

VLAN number or range; valid values are from 1 to 4094.

static

(Optional) Specifies that the access control list should be applied statically.

Defaults

No defined ARP ACLs are applied to any VLAN.

Command Modes

Configuration

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

When an ARP access control list is applied to a VLAN for dynamic ARP inspection, the ARP packets containing only the IP-to-Ethernet MAC bindings are compared against the ACLs. All other packet types are bridged in the incoming VLAN without validation.

This command specifies that the incoming ARP packets are compared against the ARP access control list, and the packets are permitted only if the access control list permits them.

If the access control lists deny the packets because of explicit denies, the packets are dropped. If the packets are denied because of an implicit deny, they are then matched against the list of DHCP bindings if the ACL is not applied statically.

Examples

This example shows how to apply the ARP ACL "static-hosts" to VLAN 1 for DAI:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ip arp inspection filter static-hosts vlan 1

Switch(config)# end

Switch#

Switch# show ip arp inspection vlan 1

Source Mac Validation : Enabled

Destination Mac Validation : Disabled

IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL

---- ------------- --------- --------- ----------

1 Enabled Active static-hosts No

Vlan ACL Logging DHCP Logging

---- ----------- ------------

1 Acl-Match Deny

Switch#

Related Commands

ip arp inspection limit (interface)

To limit the rate of incoming ARP requests and responses on an interface and prevent DAI from consuming all of the system's resources in the event of a DoS attack, use the ip arp inspection limit command. To release the limit, use the no form of this command.

ip arp inspection limit {rate pps | none} [burst intervalseconds]

noip arp inspection limit

Syntax Description

ratepps

Specifies an upper limit on the number of incoming packets processed per second. The rate can range from 1 to 10000.

none

Specifies no upper limit on the rate of the incoming ARP packets that can be processed.

burst interval seconds

(Optional) Specifies the consecutive interval in seconds over which the interface is monitored for the high rate of the ARP packets. The interval is configurable from 1 to 15 seconds.

Defaults

The rate is set to 15 packets per second on the untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all the trusted interfaces.

The burst interval is set to 1 second by default.

Command Modes

Interface

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(20)EW

Added support for interface monitoring.

Usage Guidelines

The trunk ports should be configured with higher rates to reflect their aggregation. When the rate of the incoming packets exceeds the user-configured rate, the interface is placed into an error-disabled state. The error-disable timeout feature can be used to remove the port from the error-disabled state. The rate applies to both the trusted and nontrusted interfaces. Configure appropriate rates on trunks to handle the packets across multiple DAI-enabled VLANs or use the none keyword to make the rate unlimited.

The rate of the incoming ARP packets onthe channel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for the channel ports only after examining the rate of the incoming ARP packets on the channel members.

After a switch receives more than the configured rate of packets every second consecutively over a period of burst seconds, the interface is placed into an error-disabled state.

Examples

This example shows how to limit the rate of the incoming ARP requests to 25 packets per second:

Switch# config terminal

Switch(config)# interface fa6/3

Switch(config-if)# ip arp inspection limit rate 25

Switch(config-if)# end

Switch# show ip arp inspection interfaces fastEthernet 6/3

Interface Trust State Rate (pps)

--------------- ----------- ----------

Fa6/3 Trusted 25

Switch#

This example shows how to limit the rate of the incoming ARP requests to 20 packets per second and to set the interface monitoring interval to 5 consecutive seconds:

Syntax Description

Number of entries from the logging buffer; the range is from 0 to 1024.

logsnumber

Number of entries to be logged in an interval; the range is from 0 to 1024. A 0 value indicates that entries should not be logged out of this buffer.

intervalseconds

Logging rate; the range is from 0 to 86400 (1 day). A 0 value indicates an immediate log.

Defaults

When dynamic ARP inspection is enabled, denied, or dropped, the ARP packets are logged.

The number of entries is set to 32.

The number of logging entries is limited to 5 per second.

The interval is set to 1.

Command Modes

Configuration

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The first dropped packet of a given flow is logged immediately. The subsequent packets for the same flow are registered but are not logged immediately. Registering these packets is done in a log buffer that is shared by all the VLANs. Entries from this buffer are logged on a rate-controlled basis.

Examples

This example shows how to configure the logging buffer to hold up to 45 entries:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ip arp inspection log-buffer entries 45

Switch(config)# end

Switch# show ip arp inspection log

Total Log Buffer Size : 45

Syslog rate : 5 entries per 1 seconds.

No entries in log buffer.

Switch#

This example shows how to configure the logging rate to 10 logs per 3 seconds:

Switch(config)# ip arp inspection log-buffer logs 10 interval 3

Switch(config)# end

Switch# show ip arp inspection log

Total Log Buffer Size : 45

Syslog rate : 10 entries per 3 seconds.

No entries in log buffer.

Switch#

Related Commands

ip arp inspection trust

To set a per-port configurable trust state that determines the set of interfaces where incoming ARP packets are inspected, use the ip arp inspection trust command. To make the interfaces untrusted, use the no form of this command.

ip arp inspection trust

noip arp inspection trust

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Interface

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Related Commands

ip arp inspection validate

To perform specific checks for ARP inspection, use the ip arp inspection validate command. To disable checks, use the no form of this command.

ip arp inspection validate [src-mac] [dst-mac] [ip]

noip arp inspection validate [src-mac] [dst-mac] [ip]

Syntax Description

src-mac

(Optional) Checks the source MAC address in the Ethernet header against the sender's MAC address in the ARP body. This checking is done against both ARP requests and responses.

Note When enabled, packets with different MAC addresses are classified as invalid and are dropped.

dst-mac

(Optional) Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body. This checking is done for ARP responses.

Note When enabled, the packets with different MAC addresses are classified as invalid and are dropped.

ip

(Optional) Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

The sender IP addresses are checked in all ARP requests and responses and target IP addresses are checked only in ARP responses.

Defaults

Checks are disabled.

Command Modes

Configuration

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

When enabling the checks, specify at least one of the keywords (src-mac, dst-mac, and ip) on the command line. Each command overrides the configuration of the previous command. If a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.

The no form of this command disables only the specified checks. If none of the check options are enabled, all the checks are disabled.

Syntax Description

Number of the VLANs to be mapped to the specified instance. The number is entered as a single value or a range; valid values are from 1 to 4094.

acl-match

Specifies the logging criteria for packets that are dropped or permitted based on ACL matches.

matchlog

Specifies that logging of packets matched against ACLs is controlled by the matchlog keyword in the permit and deny access control entries of the ACL.

Note By default, the matchlog keyword is not available on the ACEs. When the keyword is used, denied packets are not logged. Packets are logged only when they match against an ACE that has the matchlog keyword.

none

Specifies that ACL-matched packets are not logged.

dhcp-bindings

Specifies the logging criteria for packets dropped or permitted based on matches against the DHCP bindings.

permit

Specifies logging when permitted by DHCP bindings.

all

Specifies logging when permitted or denied by DHCP bindings.

none

Prevents all logging of packets permitted or denied by DHCP bindings.

Defaults

All denied or dropped packets are logged.

Command Modes

Configuration

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The acl-match and dhcp-bindings keywords merge with each other. When you set an ACL match configuration, the DHCP bindings configuration is not disabled. You can use the no form of this command to reset some of the logging criteria to their defaults. If you do not specify either option, all the logging types are reset to log on when the ARP packets are denied. The two options that are available to you are as follows:

•acl-match—Logging on ACL matches is reset to log on deny

•dhcp-bindings—Logging on DHCP binding compared is reset to log on deny

Examples

This example shows how to configure an ARP inspection on VLAN 1 to add packets to a log on matching against the ACLs with the logging keyword:

Switch# config terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ip arp inspection vlan 1 logging acl-match matchlog

Switch(config)# end

Switch# show ip arp inspection vlan 1

Source Mac Validation : Enabled

Destination Mac Validation : Disabled

IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL

---- ------------- --------- --------- ----------

1 Enabled Active

Vlan ACL Logging DHCP Logging

---- ----------- ------------

1 Acl-Match Deny

Switch#

Related Commands

ip cef load-sharing algorithm

To configure the load-sharing hash function so that the source TCP/UDP port, the destination TCP/UDP port, or both ports can be included in the hash in addition to the source and destination IP addresses, use the ip cef load-sharing algorithm command. To revert back to the default, which does not include the ports, use the no form of this command.

Syntax Description

Specifies the destination port in the load-balancing hash. Uses the source and destination in hash functions.

original

Specifies the original algorithm; not recommended.

tunnel

Specifies the algorithm for use in tunnel-only environments.

universal

Specifies the default Cisco IOS load-sharing algorithm.

Defaults

Default load-sharing algorithm is disabled.

Note This option does not include the source or destination port in the load-balancing hash.

Command Modes

Global configuration

Command History

Release

Modification

12.1(12c)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The original algorithm, tunnel algorithm, and universal algorithm are routed through the hardware. For software-routed packets, the algorithms are handled by the software. The include-ports option does not apply to the software-switched traffic.

Examples

This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 ports:

Switch(config)# ip cef load-sharing algorithm include-ports

Switch(config)#

This example shows how to configure the IP CEF load-sharing algorithm that includes Layer 4 tunneling ports:

Related Commands

ip dhcp snooping database

To store the bindings that are generated by DHCP snooping, use the ip dhcp snooping database command. To either reset the timeout, reset the write-delay, or delete the agent specified by the URL, use the no form of this command.

Specifies when to abort the database transfer process after a change to the binding database.

The minimum value of the delay is 15 seconds. 0 is defined as an infinite duration.

write-delay seconds

Specifies the duration for which the transfer should be delayed after a change to the binding database.

Defaults

The timeout value is set to 300 seconds (5 minutes).

The write-delay value is set to 300 seconds.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You need to create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write the set of bindings for the first time at the URL.

Note Because both NVRAM and bootflash have limited storage capacity, using TFTP or network-based files is recommended . If you use flash to store the database file, new updates (by the agent) result in the creation of new files (flash fills quickly). In addition, due to the nature of the filesystem used on the flash, a large number of files cause access to be considerably slowed. When a file is stored in a remote location accessible through TFTP, an RPR/SSO standby supervisor engine can take over the binding list when a switchover occurs.

Examples

This example shows how to store a database file with the IP address 10.1.1.1 within a directory called directory. A file named file must be present on the TFTP server.

Related Commands

ip dhcp snooping information option allow-untrusted

To allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port, use theipdhcpsnoopinginformationoptionallow-untrustedcommand. To disallow receipt of these DHCP packets, use thenoform of this command.

ipdhcpsnoopinginformationoptionallow-untrusted

noipdhcpsnoopinginformationoptionallow-untrusted

Syntax Description

This command has no arguments or keywords.

Defaults

DHCP packets with option 82 are not allowed on snooping untrusted ports.

Command Modes

Global configuration

Command History

Release

Modification

12.2(25)EWA

Support for this command was introduced on the Catalyst 4500 series switch.

Examples

This example shows how to allow DHCP packets with option 82 data inserted to be received from a snooping untrusted port:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# ip dhcp snooping information option allow-untrusted

Switch(config)# end

Switch#

Related Commands

ip dhcp snooping limit rate

To configure the number of the DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate command. To disable the DHCP snooping rate limiting, use the no form of this command.

ip dhcp snooping limit rate rate

no ip dhcp snooping limit rate

Syntax Description

rate

Number of DHCP messages a switch can receive per second.

Defaults

DHCP snooping rate limiting is disabled.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(12c)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Typically, the rate limit applies to the untrusted interfaces. If you want to set up rate limiting for the trusted interfaces, note that the trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit of the interfaces to a higher value.

Related Commands

ip igmp filter

To control whether all hosts on a Layer 2 interface can join one or more IP multicast groups by applying an IGMP profile to the interface, use the ip igmp filter command. To remove a profile from the interface, use the no form of this command.

ip igmp filter profile number

no ip igmp filter

Syntax Description

profile number

IGMP profile number to be applied; valid values are from 1 to 429496795.

Defaults

Profiles are not applied.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(11b)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You can apply IGMP filters only to Layer 2 physical interfaces; you cannot apply IGMP filters to routed ports, switch virtual interfaces (SVIs), or ports that belong to an EtherChannel group.

An IGMP profile can be applied to one or more switch port interfaces, but one port can have only one profile applied to it.

Related Commands

ip igmp max-groups

To set the maximum number of IGMP groups that a Layer 2 interface can join, use the ip igmp max-groups command. To set the maximum back to the default, use the no form of this command.

ip igmp max-groups number

no ip igmp max-groups

Syntax Description

number

Maximum number of IGMP groups that an interface can join; valid values are from 0 to 4294967294.

Defaults

No maximum limit.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(11b)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

You can use the ip igmp max-groups command only on Layer 2 physical interfaces; you cannot set the IGMP maximum groups for the routed ports, the switch virtual interfaces (SVIs), or the ports that belong to an EtherChannel group.

Examples

This example shows how to limit the number of IGMP groups that an interface can join to 25:

Switch(config)# interface gigabitethernet1/1

Switch(config-if)# ip igmp max-groups 25

Switch(config-if)

ip igmp profile

To create an IGMP profile, use the ip igmp profile command. To delete the IGMP profile, use the no form of this command.

ip igmp profile profile number

no ip igmp profile profile number

Syntax Description

profile number

IGMP profile number being configured; valid values are from 1 to 4294967295.

Defaults

No profile created.

Command Modes

Global configuration

IGMP profile configuration

Command History

Release

Modification

12.1(11b)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

When entering a range, enter the low IP multicast address, a space, and the high IP multicast address.

You can apply an IGMP profile to one or more Layer 2 interfaces, but each interface can have only one profile applied to it.

Examples

This example shows how to configure IGMP profile 40 that permits the specified range of IP multicast addresses:

Related Commands

ip igmp query-interval

To configure the frequency that the switch sends the IGMP host-query messages, use the ip igmp query-interval command. To return to the default frequency, use the no form of this command.

ip igmp query-interval seconds

no ip igmp query-interval

Syntax Description

seconds

Frequency, in seconds, at which the IGMP host-query messages are transmitted; valid values depend on the IGMP snooping mode. See the "Usage Guidelines" section for more information.

Defaults

The query interval is set to 60 seconds.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

If you use the default IGMP snooping configuration, the valid query interval values are from 1 to 65535 seconds. If you have changed the default configuration to support CGMP as the IGMP snooping learning method, the valid query interval values are from 1 to 300 seconds.

The designated switch for a LAN is the only switch that sends the IGMP host-query messages. For IGMP version 1, the designated switch is elected according to the multicast routing protocol that runs on the LAN. For IGMP version 2, the designated querier is the lowest IP-addressed multicast switch on the subnet.

If no queries are heard for the timeout period (controlled by the ip igmp query-timeout command), the switch becomes the querier.

Note Changing the timeout period may severely impact multicast forwarding.

Examples

This example shows how to change the frequency at which the designated switch sends the IGMP host-query messages:

Examples

Related Commands

ip route-cache flow

To enable NetFlow statistics for IP routing, use the ip route-cache flowcommand. To disable NetFlow statistics, use the no form of this command.

ip route-cache flow [infer-fields]

no ip route-cache flow [infer-fields]

Syntax Description

infer-fields

(Optional) Includes the NetFlow fields as inferred by the software: Input identifier, Output identifier, and Routing information.

Defaults

NetFlow statistics is disabled.

Inferred information is excluded.

Command Modes

Configuration

Command History

Release

Modification

12.1(13)EW

Support for this command was introduced on the Catalyst 4500 series switches.

12.1(19)EW

Command enhanced to support infer fields.

Usage Guidelines

To use these commands, you need to install the Supervisor Engine IV and the NetFlow Service Card.

The NetFlow statistics feature captures a set of traffic statistics. These traffic statistics include the source IP address, destination IP address, Layer 4 port information, protocol, input and output identifiers, and other routing information that can be used for network analysis, planning, accounting, billing and identifying DoS attacks.

NetFlow switching is supported on IP and IP-encapsulated traffic over all interface types.

If you enter the ip route-cache flow infer-fields command after the ip route-cache flow command, you will purge the existing cache, and vice versa. This action is done to avoid having flows with and without inferred fields in the cache simultaneously.

Defaults

Command Modes

Command History

Usage Guidelines

The ip source binding command is used to add a static IP source binding entry only.

The no form of this command deletes the corresponding IP source binding entry. For the deletion to succeed, all required parameters must match.

Each static IP binding entry is keyed by a MAC address and VLAN number. If the CLI contains an existing MAC and VLAN, the existing binding entry will be updated with the new parameters; a separate binding entry will not be created.

Related Commands

ip verify header vlan all

To enable IP header validation for Layer 2-switched IPv4 packets, use the ip verify header vlan all command. To disable the IP header validation, use the no form of this command.

ip verify header vlan all

no ip verify header vlan all

Syntax Description

This command has no default settings.

Defaults

The IP header is validated for bridged and routed IPv4 packets.

Command Modes

Configuration

Command History

Release

Modification

12.1(20)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

This command does not apply to Layer 3-switched (routed) packets.

The Catalyst 4500 series switch checks the validity of the following fields in the IPv4 header for all switched IPv4 packets:

•The version must be 4.

•The header length must be greater than or equal to 20 bytes.

•The total length must be greater than or equal to four times the header length and greater than the Layer 2 packet size minus the Layer 2 encapsulation size.

If an IPv4 packet fails the IP header validation, the packet is dropped. If you disable the header validation, the packets with the invalid IP headers are bridged but are not routed even if routing was intended. The IPv4 access lists also are not applied to the IP headers.

Examples

This example shows how to disable the IP header validation for the Layer 2-switched IPv4 packets:

Switch# config terminal

Switch(config)# no ip verify header vlan all

Switch(config)# end

Switch#

ip verify source vlan dhcp-snooping

To enable IP source guard on DHCP snooping on untrusted Layer 2 interfaces, use the ip verify source vlan dhcp-snooping command. To disable IP source guard on DHCP snooping on untrusted Layer 2 interfaces, use the no form of this command.

ip verify source vlan dhcp-snooping [port-security]

no ip verify source vlan dhcp-snooping [port-security]

Syntax Description

port-security

(Optional) Filters both source IP and MAC addresses using the port security feature.

Defaults

IP source guard is disabled.

Command Modes

Global configuration

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

Interface configuration

Examples

This example shows how to enable DHCP snooping security on VLANs 10 through 20:

l2protocol-tunnel

To enable protocol tunneling on an interface, use the l2protocol-tunnel command. You can enable tunneling for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable tunneling on the interface, use the no form of this command.

l2protocol-tunnel [cdp | stp | vtp]

no l2protocol-tunnel [cdp | stp | vtp]

Syntax Description

cdp

(Optional) Enables tunneling of CDP.

stp

(Optional) Enables tunneling of STP.

vtp

(Optional) Enables tunneling of VTP.

Defaults

The default is no Layer 2 protocol packets are tunneled.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

You must enter this command, with or without protocol types, to tunnel Layer 2 packets.

Layer 2 protocol tunneling across a service-provider network ensures that Layer 2 information is propagated across the network to all customer locations. When protocol tunneling is enabled, protocol packets are encapsulated with a well known Cisco multicast address for transmission across the network. When the packets reach their destination, the well-known MAC address is replaced by the Layer 2 protocol MAC address.

You can enable Layer 2 protocol tunneling for CDP, STP, and VTP individually or for all three protocols.

Examples

This example shows how to enable protocol tunneling for the CDP packets:

Related Commands

l2protocol-tunnel drop-threshold

To set a drop threshold for the maximum rate of Layer 2 protocol packets per second to be received before an interface drops packets, use the I2protocol-tunnel drop-threshold command. You can set the drop threshold for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the drop threshold on the interface, use the no form of this command.

l2protocol-tunnel drop-threshold [cdp | stp | vtp]value

no l2protocol-tunnel drop-threshold [cdp | stp | vtp]value

Syntax Description

cdp

(Optional) Specifies a drop threshold for CDP.

stp

(Optional) Specifies a drop threshold for STP.

vtp

(Optional) Specifies a drop threshold for VTP.

value

Specifies a threshold in packets per second to be received for encapsulation before the interface shuts down, or specifies the threshold before the interface drops packets. The range is 1 to 4096. The default is no threshold.

Defaults

The default is no drop threshold for the number of the Layer 2 protocol packets.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

The l2protocol-tunnel drop-threshold command controls the number of protocol packets per second that are received on an interface before it drops packets. When no protocol option is specified with a keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a shutdown threshold on the interface, the drop-threshold value must be less than or equal to the shutdown-threshold value.

When the drop threshold is reached, the interface drops the Layer 2 protocol packets until the rate at which they are received is below the drop threshold.

Examples

This example shows how to configure the drop threshold rate:

Switch(config-if)# l2protocol-tunnel drop-threshold cdp 50

Switch(config-if)#

Related Commands

l2protocol-tunnel shutdown-threshold

To configure the protocol tunneling encapsulation rate, use the I2protocol-tunnel shutdown-threshold command. You can set the encapsulation rate for the Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP), or VLAN Trunking Protocol (VTP) packets. To disable the encapsulation rate on the interface, use the no form of this command.

l2protocol-tunnelshutdown-threshold [cdp | stp | vtp]value

no l2protocol-tunnelshutdown-threshold [cdp | stp | vtp]value

Syntax Description

cdp

(Optional) Specifies a shutdown threshold for CDP.

stp

(Optional) Specifies a shutdown threshold for STP.

vtp

(Optional) Specifies a shutdown threshold for VTP.

value

Specifies a threshold in packets per second to be received for encapsulation before the interface shuts down. The range is 1 to 4096. The default is no threshold.

Defaults

The default is no shutdown threshold for the number of Layer 2 protocol packets.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

The l2-protocol-tunnel shutdown-threshold command controls the number of protocol packets per second that are received on an interface before it shuts down. When no protocol option is specified with the keyword, the threshold is applied to each of the tunneled Layer 2 protocol types. If you also set a drop threshold on the interface, the shutdown-threshold value must be greater than or equal to the drop-threshold value.

When the shutdown threshold is reached, the interface is error disabled. If you enable error recovery by entering the errdisable recovery cause l2ptguard command, the interface is brought out of the error-disabled state and allowed to retry the operation again when all the causes have timed out. If the error recovery feature generation is not enabled for l2ptguard, the interface stays in the error-disabled state until you enter the shutdown and no shutdown commands.

Related Commands

lacp port-priority

To set the LACP priority for the physical interfaces, use the lacp port-priority command.

lacp port-prioritypriority

Syntax Description

priority

Priority for the physical interfaces; valid values are from 1 to 65535.

Defaults

Priority is set to 32768.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(13)EW

This command was introduced on the Catalyst 4500 series switches.

Usage Guidelines

This command is not supported on the systems that are configured with a Supervisor Engine I.

You must assign each port in the switch a port priority that can be specified automatically or by entering the lacp port-priority command. The port priority is used with the port number to form the port identifier. The port priority is used to decide which ports should be put in standby mode when there is a hardware limitation that prevents all compatible ports from aggregating.

Although this command is a global configuration command, the priority value is supported only on port channels with LACP-enabled physical interfaces.This command is supported on LACP-enabled interfaces.

When setting the priority, the higher numbers indicate lower priorities.

Related Commands

lacp system-priority

To set the priority of the system for LACP, use the lacp system-priority command.

lacp system-prioritypriority

Syntax Description

priority

Priority of the system; valid values are from 1 to 65535.

Defaults

Priority is set to 32768.

Command Modes

Global configuration mode

Command History

Release

Modification

12.1(13)EW

This command was introduced on the Catalyst 4500 series switches.

Usage Guidelines

This command is not supported on systems that are configured with a Supervisor Engine I.

You must assign each switch that is running LACP a system priority that can be specified automatically or by entering the lacp system-priority command. The system priority is used with the switch MAC address to form the system ID and is also used during negotiation with other systems.

Although this command is a global configuration command, the priority value is supported on port channels with LACP-enabled physical interfaces.

When you enter the src-mac mask or dest-mac mask value, follow these guidelines:

•Enter the MAC addresses as three 4-byte values in dotted hexadecimal format such as 0030.9629.9f84.

•Enter the MAC address masks as three 4-byte values in dotted hexadecimal format. Use 1 bit as a wildcard. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0).

•For the optional protocol parameter, you can enter either the EtherType or the keyword.

•Entries without a protocol parameter match any protocol.

•The access list entries are scanned in the order that you enter them. The first matching entry is used. To improve performance, place the most commonly used entries near the beginning of the access list.

•An implicit deny any any entry exists at the end of an access list unless you include an explicit permit any any entry at the end of the list.

•All new entries to an existing list are placed at the end of the list. You cannot add entries to the middle of a list.

Examples

This example shows how to create a MAC layer access list named mac_layer that denies traffic from 0000.4700.0001, which is going to 0000.4700.0009, and permits all other traffic:

Related Commands

mac-address-table dynamic group protocols

To enable the learning of MAC addresses in both the "ip" and "other" protocol buckets, even though the incoming packet may belong to only one of the protocol buckets, use the mac-address-tabledynamicgroupprotocols command. To disable grouped learning, use thenoform of this command.

mac-address-tabledynamicgroupprotocols {ip | other} {ip | other}

[no] mac-address-tabledynamicgroupprotocols {ip | other} {ip | other}

Syntax Description

ip

Specifies the "ip" protocol bucket.

other

Specifies the "other" protocol bucket.

Defaults

The group learning feature is disabled.

Command Modes

global configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The entries within the "ip" and "other" protocol buckets are created according to the protocol of the incoming traffic.

When you use the mac-address-table dynamic group protocols command, an incoming MAC address that might belong to either the "ip" or the "other" protocol bucket, is learned on both protocol buckets. Therefore, any traffic destined to this MAC address and belonging to any of the protocol buckets is unicasted to that MAC address, rather than flooded. This reduces the unicast Layer 2 flooding that might be caused if the incoming traffic from a host belongs to a different protocol bucket than the traffic that is destined to the sending host.

Examples

This example shows that the MAC addresses are initially assigned to either the "ip" or the "other" protocol bucket:

Related Commands

mac-address-table dynamic (refer to Cisco IOS documentation)

mac-address-table static

To configure the static MAC addresses for a VLAN interface or drop unicast traffic for a MAC address for a VLAN interface, use the mac-address-table static command. To remove the static MAC address configurations, use the no form of this command.

Syntax Description

Interface type and number; valid options are FastEthernet and GigabitEthernet.

drop

Drops all traffic received from and going to the configured MAC address in the specified VLAN.

Defaults

This command has no default settings.

Command Modes

Global configuration

Command History

Release

Modification

12.1(13)EW

Support for this command was introduced on the Catalyst 4500 series switches.

Usage Guidelines

When a static MAC address is installed, it is associated with a port.

The output interface specified must be a Layer 2 interface and not an SVI.

If you do not enter a protocol type, an entry is automatically created for each of the four protocol types.

Entering the no form of this command does not remove the system MAC addresses.

When removing a MAC address, entering interfaceint is optional. For unicast entries, the entry is removed automatically. For multicast entries, if you do not specify an interface, the entire entry is removed. You can specify the selected ports to be removed by specifying the interface.

Examples

This example shows how to add the static entries to the MAC address table:

Related Commands

macro apply cisco-desktop

To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop, use the macro apply cisco-desktop command.

macro apply cisco-desktop $AVID access_vlanid

Syntax Description

$AVID access_vlanid

Specifies an access VLAN ID.

Defaults

This command has no default settings.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

This command can only be viewed and applied; it cannot be modified.

Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.

Examples

This example shows how to enable the Cisco-recommended features and settings on port fa2/1:

Related Commands

macro apply cisco-phone

To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a standard desktop and a Cisco IP phone, use the macro apply cisco-phone command.

macro apply cisco-phone $AVID access_vlanid $VVID voice_vlanid

Syntax Description

$AVID access_vlanid

Specifies an access VLAN ID.

$VVID voice_vlanid

Specifies a voice VLAN ID.

Defaults

This command has no default settings.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

This command can only be viewed and applied; it cannot be modified.

Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply the macro, clear the configuration on the interface with the default interface command.

Examples

This example shows how to enable the Cisco-recommended features and settings on port fa2/1:

Related Commands

macro apply cisco-router

To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to a router, use the macro apply cisco-router command.

macro apply cisco-router $NVID native_vlanid

Syntax Description

$NVID native_vlanid

Specifies a native VLAN ID.

Defaults

This command has no default settings.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

This command can only be viewed and applied; it cannot be modified.

Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you applythe macro apply cisco-router command, clear the configuration on the interface with the default interface command.

Examples

This example shows how to enable the Cisco-recommended features and settings on port fa2/1:

Related Commands

macro apply cisco-switch

To enable the Cisco-recommended features and settings that are suitable for connecting a switch port to another switch, use the macro apply cisco-switch command.

macro apply cisco-switch $NVID native_vlanid

Syntax Description

$NVID native_vlanid

Specifies a native VLAN ID.

Defaults

This command has no default settings.

Command Modes

Interface configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

This command can only be viewed and applied; it cannot be modified.

Ensure that the existing configuration on the interface does not conflict with the intended macro configuration. Before you apply this macro, clear the configuration on the interface with the default interface command.

Examples

This example shows how to enable the Cisco-recommended features and settings on port fa2/1:

Related Commands

main-cpu

To enter the main CPU submode and manually synchronize the configurations on the two supervisor engines, use the main-cpu command.

main-cpu

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

Redundancy

Command History

Release

Modification

12.1(12c)EW

Support for this command was introduced on the Catalyst 4500 series switch (Catalyst 4507R only).

Usage Guidelines

The main CPU submode is used to manually synchronize the configurations on the two supervisor engines.

From the main CPU submode, use the auto-sync command to enable automatic synchronization of the configuration files in NVRAM.

Note After you enter the main CPU submode, you can use the auto-sync command to automatically synchronize the configuration between the primary and secondary route processors based on the primary configuration. In addition, you can use all of the redundancy commands that are applicable to the main CPU.

Examples

This example shows how to reenable the default automatic synchronization feature using the auto-sync standard command to synchronize the startup-config and config-register configuration of the active supervisor engine with the standby supervisor engine. The updates for the boot variables are automatic and cannot be disabled.

Related Commands

match flow ip

To specify match criteria to treat flows with a unique source or destination address as a new flow, use the match flow ipcommand. To disable this function, use the no form of this command.

matchflowip {source-address | destination-address}

nomatchflowip {source-address | destination-address}

Syntax Description

source-address

Establishes a new flow from a flow with a unique IP source address.

destination-address

Establishes a new flow from a flow with a unique IP destination address.

Defaults

None.

Command Modes

class-map configuration submode

Command History

Release

Modification

12.2(25)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

When you specify the source-address keyword, each flow with a unique source address is treated as a new flow. When you specify the destination-address keyword, each flow with a unique destination address is treated as a new flow.

A policy map is called a flow-based policy map when you configure the flow keywords on the class map that it uses. To attach a flow-based policy map as a child to an aggregate policy map, use theservice-policycommand.

Note Thematchflowcommand is available on the Catalyst 4500 series switch only when Supervisor Engine VI (WS-X4516-10GE) is present.

Examples

This example shows how to create a flow-based class map associated with a source address:

Switch(config)# class-map match-all c1

Switch(config-cmap)# match flow ip source-address

Switch(config-cmap)# end

Switch#

Switch# show class-map c1

Class Map match-all c1 (id 2)

Match flow ip source-address

Switch#

This example shows how to create a flow-based class map associated with a destination
address:

Switch(config)# class-map match-all c1

Switch(config-cmap)# match flow ip destination-address

Switch(config-cmap)# end

Switch#

Switch# show class-map c1

Class Map match-all c1 (id 2)

Match flow ip destination-address

Switch#

Assume there are two active flows on the Fast Ethernet interface 6/1 with source addresses 192.168.10.20 and 192.168.10.21. The following example shows how to maintain each flow to 1 Mbps with an allowed burst value of 9000 byte:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# class-map c1

Switch(config-cmap)# match flow ip source-address

Switch(config-cmap)# exit

Switch(config)# policy-map p1

Switch(config-pmap)# class c1

Switch(config-pmap-c)# police 1000000 9000

Switch(config-pmap-c)# exit

Switch(config-pmap)# exit

Switch(config)# interface fastethernet6/1

Switch(config-if)# service-policy input p1

Switch(config-if)# end

Switch# write memory

Switch# show policy-map interface

FastEthernet6/1

Service-policy input: p1

Class-map: c1 (match-all)

15432182 packets

Match: flow ip source-address

police: Per-interface

Conform: 64995654 bytes Exceed: 2376965424 bytes

Class-map: class-default (match-any)

0 packets

Match: any

0 packets

Switch#

Assume there are two active flows on the Fast Ethernet interface 6/1 with destination addresses of 192.168.20.20 and 192.168.20.21. The following example shows how to maintain each flow to 1 Mbps with an allowed burst value of 9000 byte:

Related Commands

media-type

To select the connector for a dual-mode capable port, use the media-type command.

media-type {rj45 | sfp}

Syntax Description

rj45

Uses the RJ-45 connector.

sfp

Uses the SFP connector.

Defaults

sfp

Command Modes

Interface configuration

Command History

Release

Modification

12.2(20)EWA

Support for this command was introduced for the WS-X4306-GB-T module and the WS-X4948 chassis.

Usage Guidelines

This command is supported on all ports on the WS-X4306-GB-T module and ports 1/45-48 on the WS-X4948 chassis.

Entering the showinterfacecapabilities command provides the Multiple Media Types field, which displays the value no if a port is not dual-mode capable and lists the media types (sfp and rj45) for dual-mode capable ports.

Examples

This example shows how to configure port 5/45 on a WS-X4948 chassis to use the RJ-45 connector:

Switch(config)# interface gigabitethernet 5/45

Switch(config-if)# media-type rj45

mode

To set the redundancy mode, use the mode command.

mode {rpr | sso}

Syntax Description

rpr

Specifies RPR mode.

sso

Specifies SSO mode.

Defaults

For Catalyst 4500 series switches that are configured with Supervisor Engine II+, Supervisor Engine IV, and Supervisor Engine V, the defaults are as follows:

•SSO, if the supervisor engine is using Cisco IOS Release 12.2(20)EWA.

•RPR, if the supervisor engine is using Cisco IOS Release 12.1(12c)EW through Release 12.2(18)EW, as well as Release 12.1(xx)E.

Note If you are upgrading the current supervisor engine from Release 12.2(18)EW or an earlier release to Release 12.2(20)EWA, and the RPR mode has been saved to the startup configuration, both supervisor engines will continue to operate in RPR mode after the software upgrade. To use SSO mode, you must manually change the redundancy mode to SSO.

Command Modes

Redundancy configuration

Command History

Release

Modification

12.2(20)EWA

Support for this command was introduced on the Catalyst 4500 series switch..

Usage Guidelines

RPR and SSO mode are not supported on Catalyst 4500 series switches that are configured with Supervisor Engine II.

The mode command can be entered only from within redundancy configuration mode.

Follow these guidelines when configuring your system to RPR or SSO mode:

•You must use identical Cisco IOS images and supervisor engines to support RPR and SSO mode. Redundancy may not work due to differences between the Cisco IOS release and supervisor engine capabilities.

•Any modules that are not online at the time of a switchover are reset and reloaded on a switchover.

•If you perform an OIR of the module within 60 seconds before a stateful switchover, the module resets during the stateful switchover and the port states are restarted.

•The FIB tables are cleared on a switchover. Routed traffic is interrupted until route tables reconverge.

The redundant supervisor engine reloads on any mode change and begins to work in the current mode.

Examples

This example shows how to set the redundancy mode to SSO:

Switch(config)# redundancy

Switch(config-red)# mode sso

Switch(config-red)#

Related Commands

monitor session

To enable the SPAN sessions on interfaces or VLANs, use the monitor session command. To remove one or more source or destination interfaces from a SPAN session, or a source VLAN from a SPAN session, use the no form of this command.

Support for remote SPAN and host learning on ingress-enabled destination ports was added.

12.2(20)EW

Support for an IP access group filter was added.

Usage Guidelines

Only one SPAN destination for a SPAN session is supported. If you attempt to add another destination interface to a session that already has a destination interface that is configured, you will get an error. You must first remove a SPAN destination interface before changing the SPAN destination to a different interface.

Beginning in Cisco IOS Release 12.1(12c)EW, you can configure sources from different directions within a single user session.

Note Beginning in Cisco IOS Release 12.1(12c)EW, SPAN is limited to two sessions containing ingress sources and four sessions containing egress sources. Bidirectional sources support both ingress and egress sources.

A particular SPAN session can either monitor VLANs or monitor individual interfaces: you cannot have a SPAN session that monitors both specific interfaces and specific VLANs. If you first configure a SPAN session with a source interface, and then try to add a source VLAN to the same SPAN session, you will receive an error. You will also receive an error message if you configure a SPAN session with a source VLAN, and then try to add a source interface to that session. You must first clear any sources for a SPAN session before switching to another type of source. CPU sources may be combined with source interfaces and source VLANs.

When configuring the ingress option on a destination port, you must specify an ingress VLAN if the configured encapsulation type is untagged (the default) or is 802.1Q. If the encapsulation type is ISL, then no ingress VLAN specification is necessary.

By default, when you enable ingress, no host learning is performed on destination ports. When you enter the learning keyword, host learning is performed on the destination port, and traffic to learned hosts is forwarded out the destination port.

If you enter the filter keyword on a monitored trunking interface, only traffic on the set of specified VLANs is monitored. Port-channel interfaces are displayed in the list of interface options if you have them configured. VLAN interfaces are not supported. However, you can span a particular VLAN by entering the monitor session session source vlan vlan-id command.

The packet-type filters are supported only in the Rx direction. You can specify both Rx- and Tx-type filters and multiple-type filters at the same time (for example, you can use good and unicast to only sniff nonerror unicast frames). As with VLAN filters, if you do not specify the type, the session will sniff all packet types.

The queue identifier allows sniffing for only traffic that is sent or received on the specified CPU queues. The queues may be identified either by number or by name. The queue names may contain multiple numbered queues for convenience.

Examples

This example shows how to configure IP access group 100 on a SPAN session:

Switch(config)# monitor session 1 filter ip access-group 100

Switch(config)#

This example shows how to add a source interface to a SPAN session:

Switch(config)# monitor session 1 source interface fa2/3

Switch(config)#

This example shows how to configure the sources with different directions within a SPAN session:

Switch(config)# monitor session 1 source interface fa2/3 rx

Switch(config)# monitor session 1 source interface fa2/2 tx

Switch(config)#

This example shows how to remove a source interface from a SPAN session:

Switch(config)# no monitor session 1 source interface fa2/3

Switch(config)#

This example shows how to limit SPAN traffic to VLANs 100 through 304:

Switch(config)# monitor session 1 filter vlan 100 - 304

Switch(config)#

This example shows how to configure RSPAN VLAN 20 as the destination:

Switch(config)# monitor session 2 destination remote vlan 20

Switch(config)#

Related Commands

mtu

To enable jumbo frames on an interface by adjusting the maximum size of a packet or maximum transmission unit (MTU), use the mtu command. To return to the default setting, use the no form of this command.

mtu bytes

no mtu

Syntax Description

bytes

Byte size; valid values are from 1500 to 9198.

Defaults

The default settings are as follows:

•Jumbo frames are disabled

•1500 bytes for all ports

Command Modes

Interface configuration mode

Command History

Release

Modification

12.1(13)EW

Support for this command was introduced on the Catalyst 4500 series switches.

Usage Guidelines

Jumbo frames are supported on nonblocking Gigabit Ethernet ports, switch virtual interfaces (SVI), and EtherChannels. Jumbo frames are not available for stub-based ports.

The baby giants feature uses the global system mtusize command to set the global baby giant MTU. It allows all stub-based port interfaces to support an Ethernet payload size of up to 1552 bytes.

Both the system mtu command and the per-interface mtu command work on interfaces that can support jumbo frames, but the per-interface mtu command takes precedence.

Related Commands

policy-map

To access the QoS policy map configuration mode to configure the QoS policy map, use the policy-map command. To delete a policy map, use the no form of this command.

policy-mappolicy-map-name

no policy-mappolicy-map-name

Syntax Description

policy-map-name

Specifies the name of the policy map.

Defaults

This command has no default settings.

Command Modes

Global configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch

Usage Guidelines

In QoS policy-map configuration mode, these configuration commands are available:

•exit exits QoS class map configuration mode.

•no removes an existing defined policy map.

•classclass-map-name accesses the QoS class map configuration mode to specify a previously created class map to be included in the policy map or to create a class map. (See the class-map command for additional information.)

•trust {cos | dscp} sets the specified class trust values. Trust values that are set in this command supersede trust values that are set on specific interfaces.

Examples

This example shows how to create a policy map named ipp5-policy that uses the class-map named ipp5 and is configured to rewrite the packet precedence to 6 and to aggregate police the traffic that matches the IP precedence value of 5:

Syntax Description

Sets the Power over Ethernet state to auto mode for inline-power-capable interfaces.

maxmilliwatt

(Optional) Maximum power that the equipment can consume; valid range is from 2000 to 15400 mW.

never

Disables both the detection and power for the inline-power capable interfaces.

static

Allocates power statically.

consumption milliwatt

Sets power allocation per interface; valid range is from 4000 to 15400. Any non-default value disables automatic adjustment of power allocation.

Defaults

The default settings are as follows:

•Auto mode for Power over Ethernet is set.

•Maximum mW mode is set to 15400.

•Default allocation is set to 15400.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(11)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(19)EW

Support added for static power allocation.

12.1(20)EW

Support added for Power over Ethernet.

Usage Guidelines

If your interface is not capable of supporting Power over Ethernet, you will receive this message:

Power over Ethernet not supported on interface Admin

Examples

This example shows how to set the inline-power detection and power for the inline-power-capable interfaces:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fastethernet 4/1

Switch(config-if)# power inline auto

Switch(config-if)# end

Switch#

This example shows how to disable the inline-power detection and power for the inline-power-capable interfaces:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fastethernet 4/1

Switch(config-if)# power inline never

Switch(config-if)# end

Switch#

This example shows how to set the permanent Power over Ethernet allocation to 8000 mW for Fast Ethernet interface 4/1 regardless what is mandated either by the 802.3af class of the discovered device or by any CDP packet that is received from the powered device:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fastethernet 4/1

Switch(config-if)# power inlineconsumption8000

Switch(config-if)# end

Switch#

Related Commands

power inline consumption

To set the default power that is allocated to an interface for all the inline-power-capable interfaces on the switch, use the power inline consumption command. To return to the default values, use the no form of this command.

power inlineconsumption default milliwatts

no power inline consumption default

Syntax Description

default

Specifies the switch to use the default allocation.

milliwatts

Sets the default power allocation in milliwatts; the valid range is from 4000 to 15400. Any non-default value disables automatic adjustment of power allocation.

Defaults

Milliwatt mode is set to 15400.

Command Modes

Global configuration

Command History

Release

Modification

12.1(11)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(20)EW

Support added for Power over Ethernet.

Usage Guidelines

If your interface is not capable of supporting Power over Ethernet, you will receive this message:

Power over Ethernet not supported on interface Admin

Examples

This example shows how to set the Power over Ethernet allocation to use 8000 mW, regardless of any CDP packet that is received from the powered device:

Related Commands

power redundancy-mode

To configure the power settings for the chassis, use the power redundancy-mode command. To return to the default setting, use the default form of this command.

power redundancy-mode {redundant | combined}

default power redundancy-mode

Syntax Description

redundant

Configures the switch to redundant power management mode.

combined

Configures the switch to combined power management mode.

Defaults

Redundant power management mode

Command Modes

Global configuration

Command History

Release

Modification

12.1(12c)EW

Support for this command was introduced on the Catalyst 4500 series switch (Catalyst 4500 series switches only: 4503, 4506, and 4507).

Usage Guidelines

The two power supplies must be the same type and wattage.

Caution If you have power supplies with different types or wattages installed in your switch, the switch will not recognize one of the power supplies. A switch set to redundant mode will not have power redundancy. A switch set to combined mode will use only one power supply.

In redundant mode, the power from a single power supply must provide enough power to support the switch configuration.

Table 2-10 lists the maximum available power for chassis and Power over Ethernet for each power supply.

Examples

Related Commands

port-security mac-address

To configure a secure address on an interface for a specific VLAN or VLAN range, use the port-security mac-addresscommand.

port-securitymac-addressmac_address

Syntax Description

mac_address

The MAC-address that needs to be secured.

Command Modes

VLAN-range interface submode

Command History

Release

Modification

12.2(25)EWA

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Layer 2 interfaces can be part of multiple VLANs (for example, a typical trunk port). In conjunction with thevlancommand, you can use theport-securitymac-addresscommand to specify different addresses on different VLANs.

Examples

This example shows how to configure the secure address 1.1.1 on interface Gigabit Ethernet 1/1 for VLANs 2-3:

Related Commands

port-security mac-address sticky

To configure a sticky address on an interface for a specific VLAN or VLAN range, use the port-securitymac-addressstickycommand.

port-securitymac-addressstickymac_address

Syntax Description

mac_address

The MAC-address that needs to be secured.

Command Modes

VLAN-range interface submode

Command History

Release

Modification

12.2(25)EWA

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The Sticky feature must be enabled on an interface before you can configure the port-securitymac-addressstickycommand.

Usage Guidelines

Layer 2 interfaces can be part of multiple VLANs (for example, a typical trunk port). In conjunction with thevlan command, you can use theport-securitymac-addressstickycommand to specify different sticky addresses on different VLANs.

The Sticky feature must be enabled on an interface before you can configure theport-securitymac-addressstickycommand.

Examples

This example shows how to configure the sticky address 1.1.1 on interface Gigabit Ethernet 1/1 for VLANs 2-3:

Related Commands

port-security maximum

To configure the maximum number of addresses on an interface for a specific VLAN or VLAN range, use theport-securitymaximumcommand.

port-securitymaximummax_value

Syntax Description

max_value

The maximum number of MAC-addresses.

Command Modes

VLAN-range interface submode

Command History

Release

Modification

12.2(25)EWA

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Layer 2 interfaces can be part of multiple VLANs (for example, a typical trunk port). In conjunction with thevlancommand, you can use theport-securitymaximumcommand to specify the maximum number of secure addresses on different VLANs.

If a specific VLAN on a port is not configured with a maximum value, the maximum configured for the port is used for that VLAN. In this situation, the maximum number of addresses that can be secured on this VLAN is limited to the maximum value configured on the port.

Each VLAN can be configured with a maximum count that is greater than the value configured on the port. Also, the sum total of the maximum configured values for all the VLANs can exceed the maximum configured for the port. In either of these situations, the number of MAC addresses secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port configuration maximum.

Examples

This example shows how to configure a maximum number of addresses (5) on interface Gigabit Ethernet 1/1 for VLANs 2-3:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface g1/1

Switch(config-if)# switchport trunk encapsulation dot1q

Switch(config-if)# switchport mode trunk

Switch(config-if)# vlan 2-3

Switch(config-if-vlan-range)# port-security maximum 5

Switch(config-if-vlan-range)# exit

Switch#

Related Commands

power supplies required

To configure the power redundancy mode for the Catalyst 4006 (only), use the power supplies required command. To return to the default power redundancy mode, use the default form of this command or the power supplies required 2 command.

power supplies required {1 | 2}

default power supplies required

Syntax Description

1

Configures the chassis for 1+1 redundancy mode.

2

Configures the switch to 2+1 redundancy mode.

Defaults

2+1 redundancy mode

Command Modes

Global configuration

Command History

Release

Modification

12.1(11)EW

Support for this command was introduced on the Catalyst 4500 series switch (Catalyst 4006 only).

Usage Guidelines

This command is not supported on a Catalyst 4500 series switch.

Examples

This example shows how to set the power supplies that are required for the chassis to 1:

(Optional) Clears the association between a secondary VLAN and a primary VLAN.

Defaults

Private VLANs are not configured.

Command Modes

VLAN configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(12c)EW

Support for extended addressing was added.

12.2(20)EW

Support for community VLAN was added.

Usage Guidelines

You cannot configure VLAN 1 or VLANs 1001 to 1005 as private VLANs.

VTP does not support private VLANs. You must configure private VLANs on each device where you want private VLAN ports.

The secondary_vlan_list parameter cannot contain spaces; it can contain multiple comma-separated items. Each item can be a single private VLAN ID or a range of private VLAN IDs separated by hyphens.

The secondary_vlan_list parameter can contain multiple community VLAN IDs.

The secondary_vlan_list parameter can contain only one isolated VLAN ID. A private VLAN is defined as a set of private ports characterized by a common set of VLAN number pairs: each pair is made up of at least two special unidirectional VLANs and is used by isolated ports or by a community of ports to communicate with the switches.

An isolated VLAN is a VLAN that is used by the isolated ports to communicate with the promiscuous ports. The isolated VLAN traffic is blocked on all other private ports in the same VLAN and can be received only by the standard trunking ports and the promiscuous ports that are assigned to the corresponding primary VLAN.

A community VLAN is the VLAN that carries the traffic among the community ports and from the community ports to the promiscuous ports on the corresponding primary VLAN. A community VLAN is not allowed on a private VLAN trunk.

A promiscuous port is a private port that is assigned to a primary VLAN.

A primary VLAN is a VLAN that is used to convey the traffic from the switches to the customer end stations on the private ports.

You can specify only one isolated vlan-id value, while multiple community VLANs are allowed. You can only associate isolated and community VLANs to one VLAN. The associated VLAN list may not contain primary VLANs. Similarly, a VLAN that is already associated to a primary VLAN cannot be configured as a primary VLAN.

The private-vlan commands do not take effect until you exit the config-VLAN submode.

If you delete either the primary or secondary VLAN, the ports that are associated with the VLAN become inactive.

Related Commands

private-vlan mapping

To create a mapping between the primary and the secondary VLANs so that both share the same primary VLAN SVI, use the private-vlan mapping command. To remove all PVLAN mappings from an SVI, use the no form of this command.

(Optional) Removes the mapping between the secondary VLAN and the primary VLAN.

Defaults

All PVLAN mappings are removed.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The secondary_vlan_list parameter cannot contain spaces. It can contain multiple, comma-separated items. Each item can be a single PVLAN ID or a range of PVLAN IDs separated by hyphens.

This command is valid in the interface configuration mode of the primary VLAN.

The SVI of the primary VLAN is created at Layer 3.

The traffic that is received on the secondary VLAN is routed by the SVI of the primary VLAN.

The SVIs of the existing secondary VLANs do not function and are considered down after this command is entered.

A secondary SVI can be mapped to only one primary SVI. If the configured PVLANs association is different from what is specified in this command (if the specified primary-vlan-id is configured as a secondary VLAN), all the SVIs that are specified in this command are brought down.

If you configure a mapping between two VLANs that do not have a valid Layer 2 association, the mapping configuration does not take effect.

Examples

This example shows how to map the interface of VLAN 20 to the SVI of VLAN 18:

Switch(config)# interface vlan 18

Switch(config-if)# private-vlan mapping 18 20

Switch(config-if)#

This example shows how to permit the routing of the secondary VLAN ingress traffic from PVLANs 303 through 307, 309, and 440 and how to verify the configuration:

Switch# config terminal

Switch(config)# interface vlan 202

Switch(config-if)# private-vlan mapping add 303-307,309,440

Switch(config-if)# end

Switch# show interfaces private-vlan mapping

Interface Secondary VLAN Type

--------- -------------- -----------------

vlan202 303 isolated

vlan202 304 isolated

vlan202 305 isolated

vlan202 306 isolated

vlan202 307 isolated

vlan202 309 isolated

vlan202 440 isolated

Switch#

This example shows the displayed message that you will see if the VLAN that you are adding is already mapped to the SVI of VLAN 18. You must delete the mapping from the SVI of VLAN 18 first.

Switch(config)# interface vlan 19

Switch(config-if)# private-vlan mapping 19 add 21

Command rejected: The interface for VLAN 21 is already mapped as s secondary.

Switch(config-if)#

This example shows how to remove all PVLAN mappings from the SVI of VLAN 19:

Related Commands

private-vlan synchronize

To map the secondary VLANs to the same instance as the primary VLAN, use the private-vlan synchronize command.

private-vlan synchronize

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

MST configuration

Command History

Release

Modification

12.1(12c)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

If you do not map the VLANs to the same instance as the associated primary VLAN when you exit the MST configuration submode, a warning message displays and lists the secondary VLANs that are not mapped to the same instance as the associated primary VLAN. The private-vlan synchronize command automatically maps all secondary VLANs to the same instance as the associated primary VLANs.

Examples

This example shows how to initialize PVLAN synchronization:

Switch(config-mst)# private-vlan synchronize

Switch(config-mst)#

This example assumes that a primary VLAN 2 and a secondary VLAN 3 are associated to VLAN 2, and that all VLANs are mapped to the CIST instance 1. This example also shows the output if you try to change the mapping for the primary VLAN 2 only:

Switch(config)# spanning-tree mst configuration

Switch(config-mst)# instance 1 vlan 2

Switch(config-mst)# exit

These secondary vlans are not mapped to the same instance as their primary:

Related Commands

qos (global configuration mode)

To globally enable QoS functionality on the switch, use the qos command. To globally disable QoS functionality, use the no form of this command.

qos

no qos

Syntax Description

This command has no arguments or keywords.

Defaults

QoS functionality is disabled.

Command Modes

Global configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

If QoS functionality is globally enabled, it is enabled on all interfaces, except on the interfaces where QoS has been disabled. If QoS functionality is globally disabled, all traffic is passed in QoS pass-through mode.

Examples

This example shows how to enable QoS functionality globally on the switch:

Syntax Description

Specifies the account length of the 802.1Q-encapsulated packet (22 bytes).

isl

Specifies the account length of the ISL-encapsulated packet (48 bytes).

length len

Specifies the a dditional packet length to account for; the valid range is from 0 to 64 bytes.

Defaults

By default, only the length that is specified in the IP header for the IP packets and the length that is specified in the Ethernet header for non-IP packets is included.

Command Modes

Global configuration

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

In the Catalyst 4500 series switch, the qos account layer2 encapsulation command indicates that the policing feature should consider the configured length in addition to the IP length of the packet when policing the IP packets.

Sharing and shaping always use the Ethernet ARPA length.

Note The given length is included when policing all IP packets irrespective of the encapsulation with which it was received. When qos account layer2 encapsulation isl is configured, a fixed length of 48 bytes is included when policing all IP packets, not only those IP packets that are received with ISL encapsulation.

Sharing and shaping use the length that is specified in the Layer 2 headers.

Examples

This example shows how to include an additional 18 bytes when policing IP packets:

Switch# config terminal

Switch(conf)# qos account layer2 encapsulation length 18

Switch (conf)#

This example shows how to disable the consistent accounting of the Layer 2 encapsulation by the QoS features:

Usage Guidelines

The qos aggregate-policer command allows you to configure an aggregate flow and a policing rule for that aggregate. When you enter your rate and burst parameters, the range for the average rate is 32 Kbps to 32 Gbps, and the range for the burst size is 1 KB to 512 MB.

A rate can be entered in bits-per-second without a suffix. In addition, the suffixes described in Table 2-11 are allowed.

Table 2-11 Rate Suffix

Suffix

Description

k

1000 bps

m

1,000,000 bps

g

1,000,000,000 bps

Bursts can be entered in bytes without a suffix. In addition, the suffixes shown in Table 2-12 are allowed.

Table 2-12 Burst Suffix

Suffix

Description

k

1000 bytes

m

1,000,000 bytes

g

1,000,000,000 bytes

Note Due to hardware granularity, the rate value is limited, so the burst that you configure might not be the value that is used.

Modifying an existing aggregate rate limit modifies that entry in NVRAM and in the switch if it is currently being used.

When you enter the aggregate policer name, follow these naming conventions:

•Maximum of 31 characters long and may include a-z, A-Z, 0-9, the dash (-), the underscore (_), and the period (.).

•Must start with an alphabetic character and must be unique across all ACLs of all types.

•Aggregate policer names are case sensitive.

•Cannot be a number.

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer.

An aggregate policer can be applied to one or more interfaces. However, if you apply the same policer to the input direction on one interface and to the output direction on a different interface, then you have created the equivalent of two different aggregate policers in the switching engine. Each policer has the same policing parameters, with one policing the ingress traffic on one interface and the other policing the egress traffic on another interface. If you apply an aggregate policer to multiple interfaces in the same direction, only one instance of the policer is created in the switching engine.

You can apply an aggregate policer to a physical interface or to a VLAN. If you apply the same aggregate policer to a physical interface and to a VLAN, then you have created the equivalent of two different aggregate policers in the switching engine. Each policer has the same policing parameters, with one policing the traffic on the configured physical interface and the other policing the traffic on the configured VLAN. If you apply an aggregate policer to only ports or only VLANs, then only one instance of the policer is created in the switching engine.

If you apply a single aggregate policer to the ports and the VLANs in different directions, then you have created the equivalent of four aggregate policers; one for all ports sharing the policer inthe input direction, one for all ports sharing the policer in the output direction, one for all VLANs sharing the policer in the input direction, and one for all VLANs sharing the policer in the output direction.

Examples

This example shows how to configure a QoS aggregate policer to allow a maximum of 100,000 bits per second with a normal burst size of 10,000 bytes, to transmit when these rates are not exceeded, and to drop packets when these rates are exceeded:

Examples

Related Commands

qos map cos

To define the ingress CoS-to-DSCP mapping for the trusted interfaces, use the qos map cos to dscp command. To clear the entire mapping table, use the no form of this command.

Note You cannot remove a single entry from the table.

qos map coscos_values to dscp dscp1

no qos map cos to dscp

Syntax Description

cos_values

CoS values; list up to eight CoS values separated by spaces.

to dscp

Defines mapping and specifies DSCP value.

dscp1

DSCP value to map to the CoS values; valid values are from 0 to 63.

Defaults

The default CoS-to-DSCP configuration settings are shown in the following table:

CoS

0

1

2

3

4

5

6

7

DSCP

0

8

16

24

32

40

48

56

Command Modes

Global configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

The CoS-to-DSCP map is used to map the packet CoS (on the interfaces that are configured to trust CoS) to the internal DSCP value. This map is a table of eight CoS values (0 through 7) and their corresponding DSCP value. The switch has one map.

Examples

This example shows how to configure the ingress CoS-to-DSCP mapping for cos 0:

Related Commands

qos map dscp

To map the DSCP values to selected transmit queues and to map the DSCP-to-CoS value, use the qos map dscp command. To return to the default value, use the no form of this command.

qos map dscp dscp-values totx-queue queue-id

no qos map dscp dscp-values tocos cos-value

Syntax Description

dscp-values

List of DSCP values to map to the queue ID; valid values are from 0 to 63.

to

Defines mapping.

tx-queue

Specifies a transmit queue.

queue-id

Transmit queue; valid values are from 1 to 4.

cos

Specifies the CoS value.

cos-value

Class of service; valid values are from 1 to 7.

Defaults

The default DSCP-to-CoS configuration settings are shown in the following table:

DSCP

0-7

8-15

16-23

24-31

32-39

40-47

48-55

56-63

CoS

0

1

2

3

4

5

6

7

Command Modes

Global configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

You use the DSCP-to-CoS map to map the final DSCP classification to a final CoS. The CoS map is written into the ISL header or 802.1Q tag of the transmitted packet on trunk interfaces and contains a table of 64 DSCP values and the corresponding CoS values. The switch has one map. You can enter up to eight DSCP values, separated by spaces, for a CoS value.

The DSCP-to-transmit-queue map is used to map the final DSCP classification to a transmit queue. You can enter up to eight DSCP values, separated by spaces, for a transmit queue.

Examples

This example shows how to configure the egress DSCP-to-CoS mapping:

Switch(config)# qos map dscp 20 25 to cos 3

Switch(config)#

This example shows how to configure the egress DSCP-to-transmit queue:

Related Commands

qos rewrite ip dscp

To enable DSCP rewrite for IP packets, use the qos rewrite ip dscp command. To disable IP DSCP rewrite, use the no form of this command.

qos rewrite ip dscp

no qos rewrite ip dscp

Syntax Description

This command has no arguments or keywords.

Defaults

IP DSCP rewrite is enabled.

Command Modes

Global configuration

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

If you disable IP DSCP rewrite and enable QoS globally, the following events occur:

•The ToS byte on the IP packet is not modified.

•Marked and marked-down DSCP values are used for queueing.

•The internally derived DSCP (as per the trust configuration on the interface or VLAN policy) is used for transmit queue and Layer 2 CoS determination. The DSCP is not rewritten on the IP packet header.

If you disable QoS, the CoS and DSCP of the incoming packet are preserved and are not rewritten.

Examples

This example shows how to disable IP DSCP rewrite:

Switch(config)# no qos rewrite ip dscp
Switch(config)#

Related Commands

qos trust

To set the trusted state of an interface (for example, whether the packets arriving at an interface are trusted to carry the correct CoS, ToS, and DSCP classifications), use the qos trust command. To set an interface to the untrusted state, use the no form of this command.

qos trust {cos | device cisco-phone | dscp | extend [cospriority]}

no qos trust {cos | device cisco-phone | dscp | extend [cospriority]}

Syntax Description

cos

Specifies that the CoS bits in incoming frames are trusted and derives the internal DSCP value from the CoS bits.

device cisco-phone

Specifies the Cisco IP phone as the trust device for a port.

dscp

Specifies that the ToS bits in the incoming packets contain a DSCP value.

extend

Specifies to extend the trust to Port VLAN ID (PVID) packets coming from the PC.

cos priority

(Optional) Specifies that the CoS priority value is set to PVID packets; valid values are from 0 to 7.

Defaults

The default settings are as follows:

•If global QoS is enabled, trust is disabled on the port.

•If global QoS is disabled, trust DSCP is enabled on the port.

•The CoS priority level is0.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.1(11)EW

Support for extending trust for voice was added.

12.1(19)EW

Support for trust device Cisco IP phone was added.

Usage Guidelines

You can only configure the trusted state on physical LAN interfaces.

By default, the trust state of an interface when QoS is enabled is untrusted; when QoS is disabled on the interface, the trust state is reset to trust DSCP.

When the interface trust state is qos trust cos, the transmit CoS is always the incoming packet CoS (or the default CoS for the interface, if the packet is not tagged).

When the interface trust state is not qos trust dscp,the security and QoS ACL classification will always use the interface DSCP and not the incoming packet DSCP.

Trusted boundary should not be configured on the ports that are part of an EtherChannel (that is, a port channel).

Examples

This example shows how to set the trusted state of an interface to CoS:

Switch(config-if)# qos trust cos

Switch(config-if)#

This example shows how to set the trusted state of an interface to DSCP:

Related Commands

qos vlan-based

To enable per-VLAN QoS for a Layer 2 interface, use the qos vlan-based command. To disable per-VLAN QoS for a Layer 2 interface, use the no form of this command.

qos vlan-based

no qos vlan-based

Syntax Description

This command has no arguments or keywords.

Defaults

Per-VLAN QoS is disabled.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

In VLAN-based mode, the policy map that is attached to the Layer 2 interface is ignored, and QoS is driven by the policy map that is attached to the corresponding VLAN interface.

Per-VLAN QoS can be configured only on the Layer 2 interfaces.

If no input QoS policy is attached to a Layer 2 interface, then the input QoS policy that is attached to the VLAN (on which the packet is received), if any, is used even if the port is not configured as VLAN based.

If you do not want this default, attach a placeholder input QoS policy to the Layer 2 interface.

Similarly, if no output QoS policy is attached to a Layer 2 interface, then the output QoS policy that is attached to the VLAN (on which the packet is transmitted), if any, is used even if the port is not configured as VLAN based.

If you do not want this default, attach a placeholder output QoS policy to the Layer 2 interface.

Examples

Related Commands

remote login module

To remotely connect to a specific module, use the remote login module configuration command.

remote login module mod

Syntax Description

mod

Target module for the command.

Defaults

This command has no default settings.

Command Modes

Privileged

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command applies only to the Access Gateway Module on Catalyst 4500 series switches.

The valid values for mod depends on the chassis used. For example, if you have a Catalyst 4006 chassis, valid values for the module are from 2 to 6. If you have a 4507R chassis, valid values are from 3 to 7.

When you execute the remote login modulemod command, the prompt changes to Gateway#

The remote login module command is identical to the session modulemod and the attach modulemod commands.

Examples

This example shows how to remotely log in to the Access Gateway Module:

Examples

Related Commands

service-policy

To attach a policy map to an interface or to apply different QoS policies on VLANs that an interface belongs to, use theservice-policycommand. To remove a policy map from an interface, use the no form of this command.

service-policy {input | output} policy-mapname

noservice-policy {input | output} policy-mapname

Syntax Description

input

Specifies the input policy maps.

output

Specifies the output policy maps.

policy-mapname

Name of a previously configured policy map.

Defaults

A policy map is not attached to an interface.

Command Modes

Interface configuration

Command History

Release

Modification

12.1(8a)EW

Support for this command was introduced on the Catalyst 4500 series switch.

12.2(25)EWA

Support for applying different QoS policies on VLANs was introduced.

Usage Guidelines

Layer 2 interfaces can be part of multiple VLANs (for example, a typical trunk port). In conjunction with thevlan-rangecommand, you can use theservice-policycommand to specify different QoS policies on different VLANs.

Note This capability is restricted to Layer 2 interfaces.

You cannot apply a policy-map under an interface and a VLAN range at the same time.

Examples

This example shows how to attach a policy map to Fast Ethernet interface 5/20:

Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)# interface fastethernet 5/20

Switch(config-if)# service-policy input pmap1

Switch(config-if)# end

This example shows how to apply policy-map p1 for traffic in VLANs 20 and 400, and policy-map p2 for traffic in VLANs 300 through 301:

Related Commands

session module

To remotely connect to a specific module, use the session module configuration command.

session module mod

Syntax Description

mod

Target module for the command.

Defaults

This command has no default settings.

Command Modes

Privileged

Command History

Release

Modification

12.1(19)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

This command applies only to the Access Gateway Module on Catalyst 4500 series switches.

The valid values for mod depends on the chassis that is used. For example, if you have a Catalyst 4006 chassis, valid values for the module are from 2 to 6. If you have a 4507R chassis, valid values are from 3 to 7.

When you execute the session modulemod command, the prompt changes to Gateway#.

The session command is identical to the attach modulemod and the remote login modulemod commands.

Examples

This example shows how to remotely log in to the Access Gateway Module:

Related Commands

shape

To specify traffic shaping on an interface, use the shape command. To remove traffic shaping, use the no form of this command

shape [rate] [percent]

no shape [rate] [percent]

Syntax Description

rate

(Optional) Specifies an average rate for traffic shaping; the range is 16000 to 1000000000. Post-fix notation (k, m, and g) is optional and a decimal point is allowed.

percent

(Optional) Specifies a percent of bandwidth for traffic shaping.

Defaults

Default is no traffic shaping.

Command Modes

Interface transmit queue configuration mode

Command History

Release

Modification

12.2(18)EW

Support for this command was introduced on the Catalyst 4500 series switch.

Usage Guidelines

Traffic shaping is available on all the ports, and it sets an upper limit on the bandwidth.

When the high shape rates are configured on the Catalyst 4500 Supervisor Engine V (WS-X4516), the shaped traffic rate may not be achieved in situations that involve contention and unusual packet size distributions. On the ports that are multiplexed through a Stub ASIC and connected to the backplane gigaports, the shape rates above 7 Mbps may not be achieved under worst-case conditions. On ports that are connected directly to the backplane gigaports, or the supervisor engine gigaports, the shape rates above 50 Mbps may not be achieved under worst-case conditions.

Some examples of ports that are connected directly to the backplane are as follows:

•Uplink ports on Supervisor Engine II+, III, IV, and V

•Ports on the WS-X4306-GB module

•The two 1000BASE-X ports on the WS-X4232-GB-RJ module

•The first two ports on the WS-X4418-GB module

•The two 1000BASE-X ports on the WS-X4412-2GB-TX module

All ports on the 24-port modules and the 48-port modules are multiplexed through a Stub ASIC. Some examples of ports multiplexed through a Stub ASIC are as follows:

•10/100 ports on the WS-X4148-RJ45 module

•10/100/1000 ports on the WS-X4124-GB-RJ45 module

•10/100/1000 ports on the WS-X4448-GB-RJ45 module

Examples

This example shows how to configure a maximum bandwidth (70 percent) for the interface fa3/1: